Is this password scheme legit?

Full disclosure: I work for a company, which distributes such cards. This answer however is my own personal opinion of them.


The idea of these cards is that some users are just really bad at remembering passwords or pass phrases. The naïve approach would be to tell users "Just get better at remembering passwords", but experience has shown that such advice is counter-productive with some users.

Their memory seems to be hard-wired to only recall simple words, which probably have something to do with their work. So somebody working in a car factory may remember a word such as Engine.

Engine, of course, is a terrible password - both in length and entropy. So the "Kryptonizer" or similarly named cards try to add both of those.

Length is added by the prefix, 4uR=? in this case. It immediately increases the password length by 5 characters, bumping a 6 character password up to an 11 character password. Not perfect, but an improvement.

Entropy is added by substituting each character with a randomly chosen character. Not exactly a 1:1 substitution, but close enough. Since each card is unique, one can't build a pre-made rule on how to mangle each dictionary phrase.

In this example, Engine would turn into 4uR=?1YFFY1. Is this a good password? Probably not great, but certainly a lot better than Engine.

Problems with this scheme

Of course, it's not a perfect system. A good passphrase can't be replaced by a little paper card. Since three input characters map to one output character, the resulting password loses entropy instead of gaining it. The net entropy gain is that attackers can't use dictionary attacks as easily anymore. In order to do that, they would need to gain access to the mapping or perform an exhaustive search. If an attacker knows that such a card was used, they can use this to their advantage to speed up an exhaustive search.

Furthermore, users are expected to keep their card around, and many will probably leave it on their desk, under their keyboard or in similar bad locations. If they lose their card, they will probably lose their password too. They will need a new card, and change their password as well, which is not that good for usability.

Summary

So, is this a good system? Ultimately, I would say you have to judge it in the context of what it is designed to do. It's an aid for a specific group of users, who would otherwise use ungodly terrible passwords. And helping users choose marginally better passwords for a negligible cost is a good thing, in my opinion. Of course, it is not a silver bullet that magically solves the problem of credential storage and generation.

If possible, always use a password manager, let it generate long, high-entropy passwords and store them for you in a safe manner.

If this is not possible (e.g. for OS logins), I recommend either using Diceware or creating a long, nonsensical sentence, such as TheGreenLightFromOurEyesShinesThroughTheMirrorOfTime.. Just ensure that such a sentence isn't taken from a book or movie.


It always depends on what you compare it with! What is the realistic alternative, that users would actually use, to using this card?

Clearly, 4uR=?F133Y9Yi31 is a much better password than HELLOWORLD. If you are giving this card to a non-techie whos not going to pick good passwords or use a password manager anyway, then it's an improvement.

On the other hand, using this system is much worse than just picking a random 16 letter password that you'll never remember and storing it in your password manager. An attacker who knows what letters there are on the card (e.g. by looking at leaked passwords from the same user) could easily crack it - suddenly it is no better than HELLOWORLD!

So is this a good idea for people who might use a password manager? No, absolutely not. For your grandpa? Maybe! Don't let perfect be the enemy of the good.


Not 100% clear from your exposition, but I understand the second row is generated independently at random for each card. I'll work from that assumption. I'll further assume that:

  • The attacker is trying to guess your password.
  • The attacker knows you've generated your password using such a card.
  • The attacker doesn't know the random content unique to your card.
  • The attacker has the means to efficiently test their guesses, e.g., because they stole a password database entry with a hash of your password.

How hard is it for the attacker to succeed?

First, they have to guess the 5 random start symbols. If they're picked from a set of 66 characters as you say, each have about log2(66) ≈ 6 bits of entropy, for a total of 6 × 5 = 30 bits collectively—about the same strength already as the (in)famous Tr0ub4dor&3.

Second: As part of the process for using the card, you choose a human password. But the card divides the alphabet into eight groups such that letters in each group are treated as equivalent choices with one another. This means that after grouping, each letter in the human password cannot contribute any more than log2(8) = 3 bits of entropy, but in practice it will be less:

  • Some groups' letters are more frequent than others';
  • Some words are more frequent than others;
  • Some human passwords (e.g., PASSWORD) are distressingly more frequent than others.

Third: Each of these groups is assigned a randomly chosen character out of a set of 66. Each of those choices is about 6 bits of entropy, and that times eight groups sounds like 48 bits... but it's unlikely the attacker will have to crack the whole table in your card, because more likely than not, the human password will only "trigger" a subset of the eight groups, and they won't have to guess the symbols assigned to the "dormant" groups. If you pick 8 items randomly with replacement out of a set of 8, you expect to draw about 5 distinct items (source), which means the amount of the table's entropy that an eight-character human password is most likely to trigger is 30 bits. But some human passwords would trigger fewer groups, and some would trigger more.

Analyzing the interaction between statistical patterns of English text and the groupings in the cards is left as a tedious exercise for the reader. I think we can conclude tentatively that this card method isn't obviously broken—it will produce passwords with a guarantee of least 36 bits of entropy (30 for the start characters, 6 for triggering just one group), and you're realistically likely to see 54 bits (30 bits for start characters, 24 for triggering four groups) even without counting any entropy from the human passwords.

I don't think we should be surprised if this method doesn't suck. After all, my explanation above demonstrates that each card contains 78 bits of entropy: 30 from the initial five, 48 from the random assignment of characters to groups. 78 bits is about the entropy of 12-character random printable ASCII string (12 × log2(95)). Packing this much entropy into a small card is a neat idea; the weakness with the scheme is that it doesn't reliably exploit all of it (the "dormant" groups issue).


Another scenario we could consider is this. Suppose the attacker manages to steal your generated password (e.g., from a website that stores it as plaintext). Can they work backwards from that to guess your human password or the random values in your card? Well, in that case the initial five random characters are just hopelessly compromised, and breaking the human password looks roughly similar to breaking a monoalphabetic substitution cipher, so it's not looking too good. But I'll note this:

They also recommend to use this card for only one password and change it, if you lose the card.

...and if you follow their recommendation, the compromise of one card's content can only compromise the one human password that was supplied as input to that card. We should probably add that you shouldn't reuse the same human password with multiple cards.